inside out hacking
TRANSCRIPT
-
8/6/2019 Inside Out Hacking
1/22
2006-Aug-30
St. Louis Security Group
Christopher Byrd, CISSPSenior Security Engineer
SAVVIS Communications
Inside Out Hacking BypassingFirewalls
-
8/6/2019 Inside Out Hacking
2/22
2
Quick Introduction
About MeChristopher Byrd, CISSP
Senior Security Engineer
www.riosec.com
About MetasploitPrimary developers H D Moore (hdm) and Matt Miller(skape)
www.metasploit.com
metasploit.blogspot.com
-
8/6/2019 Inside Out Hacking
3/22
3
What is Metasploit (review)
The Metasploit Framework is an advanced open-source platform for developing, testing, and usingexploit code.
Original version written in Perl
Modular, scriptable framework
-
8/6/2019 Inside Out Hacking
4/22
4
Metasploit 3
Written in RubySupports Linux, BSD, MacOSX, Windows (with cygwin)
Modular, scriptable framework
Mixins for common protocols
Using mixins, exploits can be written in as few as3
lines of code!
Auxiliary modules
-
8/6/2019 Inside Out Hacking
5/22
5
Metasploit Uses
Metasploit is forResearch of exploitation techniques
Understanding attackers methods
IDS/IPS testing
Limited pentesting
Demos and presentations
Metasploit isn't for
Script kiddies
Limited and stale exploits
-
8/6/2019 Inside Out Hacking
6/22
6
Interfaces
msfconsoleInteractive console interface
msfcli
Command line exploitation
msfpayloadCreate encoded (executable) payloads
msfweb (being reworked)
Because everything has to have a web interface
msfwx GUI (in development)
Point, Click, 0wn
msfapi (in development)
Modularized development platform
-
8/6/2019 Inside Out Hacking
7/22
7
Exploits
148 exploits in 2.684 rewritten exploits for3.0
hpux / irix / linux / macosx / solaris / windows / etc
Application specific exploits
Browsers, backup, ftp, etcExploits are passive (client bugs) or active (serviceexploitation)
Mostly remote exploits, no local privilege escalation(yet)
Organized as platform/application/exploitwindows/browser/ms06_001_wmf_setabortproc
osx/samba/trans2open
-
8/6/2019 Inside Out Hacking
8/22
-
8/6/2019 Inside Out Hacking
9/22
9
IDS Evasion
Encoderschange payload, sometimes exploit signature
Multiple NOP (No Operation) generators
ips_filter plugin
-
8/6/2019 Inside Out Hacking
10/22
-
8/6/2019 Inside Out Hacking
11/22
11
Firewalls != secure
Most common question Im asked:I have a firewall, will that protect me?
Firewalls stop most shotgun and scanning attacks,but:
L7 attacks
Signature evasion
Client side attacks
Often used to create botnets
Human side attacks (L8)
PhishingSocial Engineering
Internet worms are getting rare
-
8/6/2019 Inside Out Hacking
12/22
-
8/6/2019 Inside Out Hacking
13/22
13
UFBP Tunneling
Metasploit PassivexHttptunnel
Others
-
8/6/2019 Inside Out Hacking
14/22
14
UFBPS Tunneling
Outbound HTTPS (tcp/443) allowed out for accessingsecure sites
Banking
Shopping
HTTPS also used to avoid restrictions
Google (cache, mail, talk)
Anonymizer services
SSL encryption bypasses IDS detection
-
8/6/2019 Inside Out Hacking
15/22
15
Other related protocols
DNSNstx (ip-over-dns)
OzymanDNS
ICMP (ping)
Ptunnel
itun
-
8/6/2019 Inside Out Hacking
16/22
-
8/6/2019 Inside Out Hacking
17/22
17
Other problems with firewalls
If it doesnt go through the firewall, the firewall cantdo anything
Wireless
VPN connected systems
The allow any outbound rule
-- enough said
-
8/6/2019 Inside Out Hacking
18/22
18
Anatomy of an Attack
Victim clicks URL from email or webInfected sites serves up URL in IFRAME
Victim makes HTTP request to msf web server
Msf web server returns wmf or other client side exploit
PassiveX modifies registry entries onW
indows topermit loading untrusted ActiveX controls
PassiveX loads second stage ActiveX control frommsf web server
PassiveX loads payload dll (Meterpreter, VNC, etc)
from attacker (tunneled over HTTP)
-
8/6/2019 Inside Out Hacking
19/22
-
8/6/2019 Inside Out Hacking
20/22
20
Blue sky: What is the solution?
Put the PC in a safe, disconnected from powerMarcus Ranums Ultimately Secure Deep packetinspection and application security system
Wirecutters
Allow only limited protocols to trusted (whitelisted)
connections
Dont tunnel stuff over HTTP
IETF ratifies secure protocols
-
8/6/2019 Inside Out Hacking
21/22
21
Real world: what helps
Layer 7 firewalls check for protocol conformanceJust because it goes over port 80 doesnt mean itsHTTP
Signatures can catch unsophisticated payloads
Host based signatures are better, as network
permutations are removedStatistical analysis of traffic
Ranums second law of Log Analysis:
The number of times an uninteresting thing happens is aninteresting thing
-
8/6/2019 Inside Out Hacking
22/22
22
Quotes (because were geeks)
The only truly secure system is one that is poweredoff, cast in a block of concrete and sealed in a lead-lined room with armed guards. -- Gene Spafford
Most organizations have already given up control
over outgoing traffic. What they dont realize is that,by extension, they have also given up control overincoming traffic. - Marcus Ranum
When you know that youre capable of dealing withwhatever comes, you have the only security the world
has to offer. -- Harry Browne